CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid

Source: Emre Akkoyun via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue of CISO Corner:

• France Seeks to Protect National Interests With Bid for Atos Cybersec

• Multifactor Authentication Is Not Enough to Protect Cloud Data

• Global: Bug Bounty Programs, Hacking Contests Power China’s Cyber Offense

• Catching Up on Innovation With NIST CSF 2.0

• Space: The Final Frontier for Cyberattacks

• Addressing Misinformation in Critical Infrastructure Security

France Seeks to Protect National Interests With Bid for Atos Cybersec

By Jai Vijayan, Contributing Writer, Dark Reading

By offering to buy Atos’ big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

The government of France’s recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company’s vital importance to the country’s defense interests.

It’s a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. “It makes sense for the French government to upgrade its defenses,” says Mike Janke, co-founder of DataTribe. “For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We’ll see if this emerges as a trend.”

Read more: France Seeks to Protect National Interests With Bid for Atos Cybersec

Related: Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group

Multifactor Authentication Is Not Enough to Protect Cloud Data

By Robert Lemos, Contributing Writer, Dark Reading

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Over the past month a ransom gang possibly related to ShinyHunters or Scattered Spider, stole reams of customer records from Ticketmaster and Santander Bank and put it up for sale, asking for millions for the data. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not be the use of stolen credentials and poor controls on multifactor authentication (MFA) for Snowflake cloud accounts.

But, while the theft of data from Snowflake’s systems could have been prevented by MFA, the companies’ failures go beyond the lack of that single control. Businesses using cloud services can learn important lessons from the latest spate of cloud breaches, researchers stress.

Read more: Multifactor Authentication Is Not Enough to Protect Cloud Data

Related: Snowflake Cloud Accounts Felled by Rampant Credential Issues

Global: Bug Bounty Programs, Hacking Contests Power China’s Cyber Offense

By Robert Lemos, Contributing Writer, Dark Reading

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China’s offensive cybersecurity programs.

China’s cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

Its civilian hackers have directly benefited China’s cyber-offensive programs and are one example of the success of China’s cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, in a new report.

“By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost,” he says.

Read more: Bug Bounty Programs, Hacking Contests Power China’s Cyber Offense

Related: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia

Catching Up on Innovation With NIST CSF 2.0

Commentary by Jamie Moles, Senior Technical Manager, ExtraHop

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

The National Institute of Standards and Technology’s Cybersecurity Framework 2.0 (NIST CSF 2.0) provides an important roadmap for reexamining security initiatives, fending off evolving threats, and preparing to meet today’s innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

1. Building a New Approach to Securing Infrastructure: A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more.

2. Investing to Fit Specific Business Needs: NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions.

3. Developing an Organizationwide Approach to Security Hygiene: While the right tools are essential, a critical part of NIST CSF 2.0’s “Protect” focuses on awareness, training, and identity and access management as critical safeguards to managing risk.

Read more: Catching Up on Innovation With NIST CSF 2.0

Related: NIST Releases Cybersecurity Framework 2.0

Space: The Final Frontier for Cyberattacks

By Jai Vijayan, Contributing Writer, Dark Reading

A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race.

A distributed denial-of-service (DDoS) attack this week disabled electronic door locks across a major lunar settlement, trapping dozens of people indoors and locking out many more in lethal cold. The threat actor behind the attack is believed responsible for also commandeering a swarm of decades-old CubeSats last year and attempting to use them to trigger a chain reaction of potentially devastating satellite crashes.

Neither “incident” has happened, of course. Yet. But they well could, sometime in the not-too-distant future, and now is the time to start thinking about and planning for them.

Assessing capabilities in cybersecurity is never easy, and it’s even worse for the space domain because of the inherent national-security concerns that may classify much of that information. Space cybersecurity is shrouded in mystery from the start, which isn’t surprising since space launches started as military missions.

But security by obscurity will not be an option for long.

Read more: Space: The Final Frontier for Cyberattacks

Related: The European Space Agency Explores Cybersecurity for Space Industry

Addressing Misinformation in Critical Infrastructure Security

By Roman Arutyunov, Co-Founder & Senior Vice President, Products, Xage Security

As the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is of paramount importance.

The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure. Some members of Congress even called for further investigation into the possibility of malicious code being involved.

The incident highlighted a general lack of awareness regarding the reality and scale of cyber-risks to critical infrastructure. While physical incidents capture headlines and public attention, silent, invisible attacks on critical infrastructure remain poorly understood.

Theorizing can distort public understanding of cyber threats, undermine trust in legitimate news sources, and complicate efforts to educate the public and stakeholders about the fundamental nature of cyber threats and the necessary precautions to mitigate them. The public’s reaction to the Francis Scott Key Bridge collapse demonstrates the collective anxiety about cyber threats to critical infrastructure.

Read more: Addressing Misinformation in Critical Infrastructure Security

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

About the Author(s)

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.